Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Client-side OAuth with PKCE (Indy.code() 2022)

Scott McAllister
May 24, 2023
Programming
1
51

Client-side OAuth with PKCE (Indy.code() 2022)

The OAuth standard has been around for a while, but traditionally it has required a back-end server to hold a client secret, well, secret. Managing secrets can be a very hard problem to solve. Until now! By supporting Proof Key for Code Exchange, or PKCE, OAuth flows can now be accomplished entirely in the client--and still be secure. In this talk we begin the standard three-legged flow and then introduce PKCE. By the time you leave, you will understand how to implement it in your client applications and the benefits for doing so.

This version was presented at Indy.Code() 2022.

Scott McAllister

May 24, 2023
Tweet

More Decks by Scott McAllister

See All by Scott McAllister
Simple Ways to Make Webhook Security Better
stmcallister
0
37
What the Heck is HTTP?
stmcallister
1
81
Modules, Loops and More: How to Scale with Terraform
stmcallister
0
55
Building Ingress: From Concept to Connection (#JOTB23)
stmcallister
0
67
Node and OAuth on the Command Line -- Twin Cities Code Camp 2018
stmcallister
0
70

Other Decks in Programming

See All in Programming
PostmanでAPIの動作確認が楽になった話
h455h1
0
180
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
380
StoreKit2によるiOSのアプリ内課金のリニューアル
kangnux
0
120
Introducing Kotlin Multiplatform in an existing mobile app - Workshop Edition | AndroidMakers Paris
prof18
0
150
Ruby GitHub Packages
bkuhlmann
0
640
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
400
見た目から始める生産性向上
ikumatadokoro
10
1.3k
Snowflakeで眠ったデータを起こそう!
estie
0
140
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
Goのmultiple errorsについて (2024年4月版)
syumai
4
1.2k
Netty Chicago Java User Group 2024-04-17
sullis
0
200

Featured

See All Featured
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
104
6.6k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
Raft: Consensus for Rubyists
vanstee
133
6.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
Writing Fast Ruby
sferik
622
60k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
The Power of CSS Pseudo Elements
geoffreycrofte
62
5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
22
1.6k
GitHub's CSS Performance
jonrohan
1025
450k
4 Signs Your Business is Dying
shpigford
176
21k
Designing for Performance
lara
602
67k

Transcript

  1. Client-side OAuth with PKCE Scott McAllister @stmcallister

  2. A long time ago in a galaxy far, far away....

    @stmcallister

  3. @stmcallister Your App Google Calendar

  4. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data

  5. @stmcallister Your App Google Calendar Google Username and Password Calendar

    Data Password Anti-Pattern

  6. No easy way to revoke access from the client App

    @stmcallister

  7. Once they’re in they’re hard to stop @stmcallister

  8. Access: All or Nothing @stmcallister

  9. User can’t remove credentials from third-party apps @stmcallister

  10. OAuth @stmcallister

  11. @stmcallister OAuth ❏ Open standard for authorizing secure access on

    HTTP service ❏ Uses tokens rather than password data to prove identity ❏ Provides “secure delegated access” to client applications ❏ Limits user’s scope of access

  12. OAuth with Client Secret @stmcallister

  13. @stmcallister Keep it Secret. Keep it safe.

  14. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI

  15. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access

  16. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Auth code returned

  17. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned

  18. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI Request Access Token with Auth Code, Client ID and Client Secret User Allows or Denies Access Auth code returned Access Token Returned

  19. Implicit OAuth @stmcallister

  20. @stmcallister Client App PagerDuty Request authorization with Client ID and

    Redirect URI User Allows or Denies Access Access Token Returned

  21. OAuth with Proof Key for Code Exchange (PKCE) @stmcallister

  22. @stmcallister PKCE Terms ❏ Code_verifier ❏ Random 128byte, base64 urlEncoded

    value ❏ Code_challenge ❏ Hashed, base64 urlEncoded (no padding) value of Code_verifier ❏ Challenge_method ❏ Method of hash used

  23. @stmcallister Client App PagerDuty

  24. @stmcallister Client App PagerDuty Generate & Save code verifier Create

    code challenge

  25. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Generate & Save code verifier Create code challenge

  26. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge

  27. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  28. @stmcallister Client App PagerDuty Request authorization with Client ID, Code

    Challenge, Code Challenge Method, and Redirect URI Request Access Token with Auth Code, Client ID and Code Verifier User Allows or Denies Access Auth code returned Access Token Returned Generate & Save code verifier Create code challenge Validates Code & Code Verifier

  29. @stmcallister

  30. @stmcallister

  31. Layers of Security 1. Redirect URI must be registered 1.

    Prevents App Mocking @stmcallister

  32. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 1. Prevents App Mocking 2. Prevents Man in the Middle @stmcallister

  33. Layers of Security 1. Redirect URI must be registered 2.

    Code Exchange for token 3. PKCE 1. Prevents App Mocking 2. Prevents Man in the Middle 3. Proves layers 1 and 2 are unified @stmcallister

  34. Further Reading Sample Code https://github.com/PagerDuty-Samples/pagerduty-bulk-user-mgr-sample Implement the OAuth 2.0 Auth

    Code with PKCE Flow https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce @stmcallister

  35. Scott McAllister Speaker, Writer, Coder PagerDuty @stmcallister stmcallister.github.io